[pLog-svn] [Lifetype Vulnerability] Very Serious File Disclosure Problem (read passwords/config whatever you want)
howard chen
howachen at gmail.com
Wed Feb 14 09:14:10 EST 2007
On 2/14/07, Matt Wood <matt at woodzy.com> wrote:
> It has to be relative because of smarty. And some smarty installations have
> a "secure mode" (like lifetype.net) that won't allow access out of a
> specified sandbox.
>
> The real major danger I see is revealing the db password. And if your shell
> pass happened to be the same as that password, you are toast.
>
hello,
isn't that the template must have the extension ended with .template?
so you can only load any template you want...
so how to load other non-template file such as config.properties.php?
p.s.
if you think it is too sensitive to tell right now....remember to
provide the cause maybe after sometimes which most people have fixed
this bug. :)
this is useful for other projects as well.
More information about the pLog-svn
mailing list